| commit | beb8eab90cd52ce1b53c4b91bab10e954ea14eea | |
| author | David S. Ahern <daahern@cisco.com> | |
| Wed, 3 Feb 2010 16:00:54 +0000 (3 09:00 -0700) | ||
| committer | Anthony Liguori <aliguori@us.ibm.com> | |
| Tue, 23 Feb 2010 20:07:57 +0000 (23 14:07 -0600) | ||
| tree | 358c5cf3243736e0969dc2df58a79ff8453dfdfd | treesnapshot (tar.gz zip) |
| parent | 8d67694fbf6eaa7400a0a9af5f8b7b55eaa28b14 | commitdiff |
segfault due to buffer overrun in usb-serial
This fixes a segfault due to buffer overrun in the usb-serial device.
The memcpy was incrementing the start location by recv_used yet, the
computation of first_size (how much to write at the end of the buffer
before wrapping to the front) was not accounting for it. This causes the
next element after the receive buffer (recv_ptr) to get overwritten with
random data.
Signed-off-by: David Ahern <daahern@cisco.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 4ab4183d766f10f9fc35cd9ef4acee39f241986f)
This fixes a segfault due to buffer overrun in the usb-serial device.
The memcpy was incrementing the start location by recv_used yet, the
computation of first_size (how much to write at the end of the buffer
before wrapping to the front) was not accounting for it. This causes the
next element after the receive buffer (recv_ptr) to get overwritten with
random data.
Signed-off-by: David Ahern <daahern@cisco.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 4ab4183d766f10f9fc35cd9ef4acee39f241986f)
| hw/usb-serial.c | diffblobblamehistory |